Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:499
HistoryAug 02, 2000 - 12:00 a.m.

BEA's WebLogic *.jsp/*.jhtml remote command execution

2000-08-0200:00:00
vulners.com
15
JSON
                        Foundstone, Inc.
                    http://www.foundstone.com
                  "Securing the Dot Com World"

                       Security Advisory

     BEA's WebLogic *.jsp/*.jhtml remote command execution

FS Advisory ID: FS-073100-10-BEA

Release Date: July 31, 2000

Product: WebLogic

Vendor: BEA Systems (http://www.beasys.com)

Vendor Advisory: http://developer.bea.com/alerts/index.html

Type: Possible remote command execution.

Severity: High (depending on your configuration)

Author: Shreeraj Shah ([email protected])
Saumil Shah ([email protected])
Stuart McClure ([email protected])

Operating Systems: All operating systems supported by WebLogic

Vulnerable versions: WebLogic, all versions

Foundstone Advisory: http://www.foundstone.com/advisories.htm

Description

    It is possible to compile and execute any arbitrary file
    within the web document root directory of the WebLogic server
    as if it were a JSP/JHTML file, even if the file type is not
    .jsp or .jhtml.

    If applications residing on the WebLogic server write to files
    within the web document root directory, it is possible to
    insert executable code in the form of JSP or JHTML tags and
    have the code compiled and executed using WebLogic's handlers.
    This can potentially cause an attacker to gain administrative
    control of the underlying operating systems.

    The theory behind such vulnerabilities is described in CERT
    Advisory CA-2000-02 which can be found at:
    http://www.cert.org/advisories/CA-2000-02.html

    This vulnerability is similar to the remote execution
    vulnerability for Sun's Java Web Server reported previously by
    Foundstone. (FS-071000-5-JWS)

Details

    Looking into the weblogic.properties files, the following
    lines indicate how WebLogic associates handlers for compiling
    and executing JHTML and JSP files.

    weblogic.httpd.register.*.jhtml=\
           weblogic.servlet.jhtmlc.PageCompileServlet

    weblogic.httpd.register.*.jsp=\
           weblogic.servlet.JSPServlet

    JHTML pages in WebLogic get handled by the
    weblogic.servlet.jhtml.PageCompileServlet, which compiles the
    JHTML pages (if they are not already compiled) and executes
    them within the Java Runtime Enviroment and hand the output
    back to the web server. Similarly, weblogic.servlet.JSPServlet
    is responsible for compiling and executing JSP pages.

    It is possible to invoke these servlets manually using the
    /*.jhtml/ or /*.jsp/ prefix in the URL, and point it to any
    arbitrary file on the web server to be compiled and executed
    as if it were a JHTML or a JSP file. If JHTML or JSP code can
    be injected into any file on the web server via an application
    (e.g. a guestbook application), it is possible to execute
    arbitrary commands on the server.

Proof of concept

    Assume that there is an application on the WebLogic server
    that writes user entered data to a file called "temp.txt".

    Given below is JHTML/JSP code that will print "Hello World":

    <java>out.println("Hello World");</java>        (JHTML) -or-
    <% out.println("Hello World"); %>               (JSP)

    If this code is somehow inserted in the file "temp.txt" via
    an application, then the following can be used to invoke
    forced compilation and execution of "temp.txt":

    http://weblogic.site/*.jhtml/path/to/temp.txt   (JHTML) -or-
    http://weblogic.site/*.jsp/path/to/temp.txt

Solution

    Please refer to BEA's advisory BEA00-04.00 which can be found
    at http://developer.bea.com/alerts/index.html

Credits

    We would also like to thank BEA Systems for their prompt
    reaction to this problem and their co-operation in heightening
    security awareness in the security community.

Disclaimer

    THE INFORMATION CONTAINED IN THIS ADVISORY IS THE COPYRIGHT
    (C) 2000 OF FOUNDSTONE, INC. AND BELIEVED TO BE ACCURATE AT
    THE TIME OF PRINTING, BUT NO REPRESENTATION OR WARRANTY IS
    GIVEN, EXPRESS OR IMPLIED, AS TO ITS ACCURACY OR COMPLETENESS.
    NEITHER THE AUTHOR NOR THE PUBLISHER ACCEPTS ANY LIABILITY
    WHATSOEVER FOR ANY DIRECT, INDIRECT OR CONQUENTIAL LOSS OR
    DAMAGE ARISING IN ANY WAY FROM ANY USE OF, OR RELIANCE PLACED
    ON, THIS INFORMATION FOR ANY PURPOSE. THIS ADVISORY MAY BE
    REDISTRIBUTED PROVIDED THAT NO FEE IS ASSIGNED AND THAT THE
    ADVISORY IS NOT MODIFIED IN ANY WAY.
JSON